Description
memset() is often used for data sanitization in security sensitive software to harden against information leaks. However, compiler dead store elimination passes can remove that hardening. Recently, I had been late in reviewing a PR against OpenZFS that was intended to harden against information leaks, but used memset() in a way vulnerable to dead store elimination. I caught it upon review, verified that GCC truly was eliminating 4 memset() calls that had been dead stores to stack memory and submitted the following now merged patch to fix it:
Every PR to OpenZFS is scanned by CodeQL. While we are not using the security-and-extended checks, I have skimmed through their reports in my fork and did not see any warnings about this. I run several static analyzers on the codebase and none of them reported this, although the documentation for the commercial static analyzer, PVS Studio, suggests that it is able to report such issues:
https://pvs-studio.com/en/docs/warnings/v570/
It would be nice if CodeQL at least had an optional check to catch this. Please l me know if it already has one that I missed.